Esc

Screensaver - T1546.002

(ATT&CK® Technique)

Definition

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\Windows\System32</code>, and C:\Windows\sysWOW64</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

 D3FEND Inferred Relationships
 Browse the D3FEND knowledge graph by clicking on the nodes below. 
 
 
  
 
 
         graph LR;

     T1546002["Screensaver"] --> |creates| ExecutableFile["Executable File"]; class T1546002 OffensiveTechniqueNode;
        class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
        click T1546002 href "/offensive-technique/attack/T1546.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1546002["Screensaver"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546002 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1546002 href "/offensive-technique/attack/T1546.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546002["Screensaver"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1546002["Screensaver"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1546002["Screensaver"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";                            LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableFile["Executable File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1546002["Screensaver"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] -->
          | encrypts | ExecutableFile["Executable File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546002["Screensaver"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                                       DecoyFile["Decoy File"] -->
          | spoofs | ExecutableFile["Executable File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546002["Screensaver"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";              FileEviction["File Eviction"] -->
          | deletes | ExecutableFile["Executable File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546002["Screensaver"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                            RestoreFile["Restore File"] -->
          | restores | ExecutableFile["Executable File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546002["Screensaver"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546002["Screensaver"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                     ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1546002["Screensaver"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1546002["Screensaver"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                           RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1546002["Screensaver"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                    
      
 
 
 json

  Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the
    MITRE D3FEND Privacy Policy. MITRE D3FEND is funded
    by the
    National Security Agency
    (NSA)
    Cybersecurity Directorate
    and managed by the
    National Security Engineering Center
    (NSEC) which is operated by
    The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE
    Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of
    The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK
    terms of use.
    This software was produced for the U. S. Government under Basic Contract No.
    W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer
    Software and Noncommercial Computer Software Documentation Clause
    252.227-7014 (FEB 2012)
    
© 2023 The MITRE Corporation.
    
Approved for Public Release; Distribution Unlimited #20-2338 and #23-1207.